Symptom
the single connection flag is not set on first authentication packet sent by the switch , AAA server response set this flag , but the switch never set the flag to establish the single connection as per :
draft-ietf-opsawg-tacacs-08
for Command authorization we see new connections (new TCP 3 way handshake)
but accounting and shell authorization work with the same existing connection (no 3 way handshake)
Conditions
switch and AAA server are configured for single connection
switch configuration :
tacacs server ISE-TEST
address ipv4 x.x.x.x
key 7
timeout 1
single-connection
Further Problem Description
as per https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-08.html#rfc.section.3.3
The client sets this flag, to indicate that it supports multiplexing TACACS+ sessions over a single TCP connection. The client MUST NOT send a second packet on a connection until single-connect status has been established.
To indicate it will support Single Connection Mode, the server sets this flag in the first reply packet in response to the first request from a client. The server may set this flag even if the client does not set it, but the client may ignore the flag and close the connection after the session completes.
The flag is only relevant for the first two packets on a connection, to allow the client and server to establish Single Connection Mode. No provision is made for changing Single Connection Mode after the first two packets: the client and server MUST ignore the flag after the second packet on a connection.
in our LAB , switch never set the flag , and in command authorization we see 3 way handshake is done again (new connection).
